Am 13.02.2016 um 09:53 schrieb Dmitry Smirnov:
Source: otrs2
Version: 5.0.6-1
Severity: serious
I'm quite shocked to find how badly otrs2 packaging violates DFSG.
There are many non-distributrable pre-built (minified) source-less files in
orig tarball under "var/httpd/htdocs/js/thirdparty". No attemps to fix this
situation has been and some inconvenient lintian warnings (such as "source-
contains-prebuilt-javascript-object" and "source-contains-prebuilt-flash-
object") are hidden through use of lintian-overrides. Moreover many bundled
third party components are not even documented in "debian/copyright". :( :(
Fixing those problems is neigher optional nor hard. To comply with policy
sources of minified files can be shipped in "debian/missing-sources".
Minified files can be replaced on build time with their uncompressed original
files or even with files minified by build srcipts (if you believe in
minification). Where appropriate you can certainly use system libjs-*
packages and there is already bug for that: #695664.
At your convenience you can use "dh_linktree" or "dh_link" helpers to
facilitate replacement.
New `uscan` functionality allows to do DFSG-repackaging by utilising
"copyright/Files-Excluded" field -- you can read more about that in
https://wiki.debian.org/UscanEnhancements
(Also it might be helpful to add "repacksuffix=+dfsg" to "debian/watch").
Finally you don't have to document copyrights and licenses for files that
were dropped from orig.tar.
You are not the only maintainer who have to deal with pesky bundled non-DFSG
third party components. Just recently yours truly had to fix package
"ckeditor" because one of my packages bundles it. Therefore I'm confident
that you can replace "ckeditor" bundled to "otrs2" with "ckeditor (>=
4.5.6~)" right now and that it is safe to do so.
Please address all those problems ASAP.
I do not comply with your report. I am aware of those issues, that is
also why the embedded-code-copies bug is marked as "need help". OTRS
packaging is a hard job and mostly it is not possible to replace the
libjs thirdparty foo with the packages from Debian, mostly because of
version missmatches. Nobody is willed (or in my case able) to fix those
JS issues, which appear here and then with different versions in
different places (ugly JS sh..).
If everything is simple for you and just replacements have to be done
(which is not the case) then I would be happy to welcome you on the
otrs-packaging board.
Just a short example:
With 5.0.1-2 I had to drop (and inform the security team) about removing
again the use of the libjs-jquery* packages from Debian, because of #802938
--
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
Blog: http://www.linux-dev.org/
E-Mail: pmatth...@debian.org
patr...@linux-dev.org
*/
